static
PSID
AppendRidToSid(PSID SrcSid,
ULONG Rid)
{
PSID DstSid = NULL;
UCHAR RidCount;
RidCount = *RtlSubAuthorityCountSid(SrcSid);
if (RidCount >= 8)
return NULL;
DstSid = DispatchTable.AllocateLsaHeap(RtlLengthRequiredSid(RidCount + 1));
if (DstSid == NULL)
return NULL;
RtlCopyMemory(DstSid,
SrcSid,
RtlLengthRequiredSid(RidCount));
*RtlSubAuthorityCountSid(DstSid) = RidCount + 1;
*RtlSubAuthoritySid(DstSid, RidCount) = Rid;
return DstSid;
}
/******************************************************************************
* RtlEqualSid [NTDLL.@]
*
*/
BOOL WINAPI RtlEqualSid( PSID pSid1, PSID pSid2 )
{
if (!RtlValidSid(pSid1) || !RtlValidSid(pSid2))
return FALSE;
if (*RtlSubAuthorityCountSid(pSid1) != *RtlSubAuthorityCountSid(pSid2))
return FALSE;
if (memcmp(pSid1, pSid2, RtlLengthSid(pSid1)) != 0)
return FALSE;
return TRUE;
}
NTSTATUS
NTAPI
ScDomainIdToSid (
_In_ PSID SourceSid,
_In_ ULONG DomainId,
_Out_ PSID *DestinationSid
)
{
ULONG sidCount, sidLength;
NTSTATUS status;
/* Get the length of the SID based onthe number of subauthorities */
sidCount = *RtlSubAuthorityCountSid(SourceSid);
sidLength = RtlLengthRequiredSid(sidCount + 1);
/* Allocate it */
*DestinationSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, sidLength);
if (*DestinationSid)
{
/* Make a copy of it */
status = RtlCopySid(sidLength, *DestinationSid, SourceSid);
if (NT_SUCCESS(status))
{
/* Increase the subauthority count */
++*RtlSubAuthorityCountSid(*DestinationSid);
/* And add the specific domain RID we're creating */
*RtlSubAuthoritySid(*DestinationSid, sidCount) = DomainId;
/* Everything worked */
status = STATUS_SUCCESS;
}
else
{
/* The SID copy failed, so free the SID we just allocated */
RtlFreeHeap(RtlGetProcessHeap(), 0, *DestinationSid);
}
}
else
{
/* No space for the SID, bail out */
status = STATUS_NO_MEMORY;
}
/* Return back to the caller */
return status;
}
/*
* ucmShowProcessIntegrityLevel
*
* Purpose:
*
* Output current integrity level of target application.
*
*/
void ucmShowProcessIntegrityLevel(
VOID
)
{
NTSTATUS status;
HANDLE hToken;
ULONG LengthNeeded;
PTOKEN_MANDATORY_LABEL pTIL = NULL;
DWORD dwIntegrityLevel;
WCHAR *t = NULL;
WCHAR szBuffer[MAX_PATH + 1];
status = NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY, &hToken);
if (NT_SUCCESS(status)) {
status = NtQueryInformationToken(hToken, TokenIntegrityLevel, NULL, 0, &LengthNeeded);
if (status == STATUS_BUFFER_TOO_SMALL) {
pTIL = (PTOKEN_MANDATORY_LABEL)LocalAlloc(0, LengthNeeded);
if (pTIL) {
status = NtQueryInformationToken(hToken, TokenIntegrityLevel, pTIL, LengthNeeded, &LengthNeeded);
if (NT_SUCCESS(status)) {
dwIntegrityLevel = *RtlSubAuthoritySid(pTIL->Label.Sid,
(DWORD)(UCHAR)(*RtlSubAuthorityCountSid(pTIL->Label.Sid) - 1));
if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID)
{
t = L"Low Process";
}
else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID &&
dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)
{
t = L"Medium Process";
}
else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID)
{
t = L"High Integrity Process";
}
else if (dwIntegrityLevel >= SECURITY_MANDATORY_SYSTEM_RID)
{
t = L"System Integrity Process";
}
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
wsprintf(szBuffer, L"PID=%lu, IntegrityLevel=%ws",
GetCurrentProcessId(), t);
}
LocalFree(pTIL);
}
}
NtClose(hToken);
}
if (t) MessageBox(GetDesktopWindow(), szBuffer, GetCommandLineW(), MB_ICONINFORMATION);
}
/*
* @implemented
*/
BOOLEAN NTAPI
RtlEqualSid(IN PSID Sid1_,
IN PSID Sid2_)
{
PISID Sid1 = Sid1_;
PISID Sid2 = Sid2_;
SIZE_T SidLen;
PAGED_CODE_RTL();
if (Sid1->Revision != Sid2->Revision ||
(*RtlSubAuthorityCountSid(Sid1)) != (*RtlSubAuthorityCountSid(Sid2)))
{
return(FALSE);
}
SidLen = RtlLengthSid(Sid1);
return RtlCompareMemory(Sid1, Sid2, SidLen) == SidLen;
}
VOID
DisplayAccountSid(
PSID Sid
)
{
UCHAR i;
ULONG Tmp;
PSID_IDENTIFIER_AUTHORITY IdentifierAuthority;
UCHAR SubAuthorityCount;
IdentifierAuthority = RtlIdentifierAuthoritySid(Sid);
//
// HACK! HACK!
// The next line prints the revision of the SID. Since there is no
// rtl routine which gives us the SID revision, we must make due.
// luckily, the revision field is the first field in the SID, so we
// can just cast the pointer.
//
printf("S-%u-", (USHORT) *((PUCHAR) Sid) );
if ( (IdentifierAuthority->Value[0] != 0) ||
(IdentifierAuthority->Value[1] != 0) ){
printf("0x%02hx%02hx%02hx%02hx%02hx%02hx",
IdentifierAuthority->Value[0],
IdentifierAuthority->Value[1],
IdentifierAuthority->Value[2],
IdentifierAuthority->Value[3],
IdentifierAuthority->Value[4],
IdentifierAuthority->Value[5] );
} else {
Tmp = IdentifierAuthority->Value[5] +
(IdentifierAuthority->Value[4] << 8) +
(IdentifierAuthority->Value[3] << 16) +
(IdentifierAuthority->Value[2] << 24);
printf("%lu", Tmp);
}
SubAuthorityCount = *RtlSubAuthorityCountSid(Sid);
for (i=0;i<SubAuthorityCount ;i++ ) {
printf("-%lu", (*RtlSubAuthoritySid(Sid, i)));
}
printf("\n");
}
/******************************************************************************
* RtlAllocateAndInitializeSid [NTDLL.@]
*
*/
BOOLEAN WINAPI RtlAllocateAndInitializeSid (
PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority,
BYTE nSubAuthorityCount,
DWORD nSubAuthority0, DWORD nSubAuthority1,
DWORD nSubAuthority2, DWORD nSubAuthority3,
DWORD nSubAuthority4, DWORD nSubAuthority5,
DWORD nSubAuthority6, DWORD nSubAuthority7,
PSID *pSid )
{
TRACE("(%p, 0x%04x,0x%08lx,0x%08lx,0x%08lx,0x%08lx,0x%08lx,0x%08lx,0x%08lx,0x%08lx,%p)\n",
pIdentifierAuthority,nSubAuthorityCount,
nSubAuthority0, nSubAuthority1, nSubAuthority2, nSubAuthority3,
nSubAuthority4, nSubAuthority5, nSubAuthority6, nSubAuthority7, pSid);
if (!(*pSid = RtlAllocateHeap( GetProcessHeap(), 0, RtlLengthRequiredSid(nSubAuthorityCount))))
return FALSE;
(*pSid)->Revision = SID_REVISION;
if (pIdentifierAuthority)
memcpy(&(*pSid)->IdentifierAuthority, pIdentifierAuthority, sizeof (SID_IDENTIFIER_AUTHORITY));
*RtlSubAuthorityCountSid(*pSid) = nSubAuthorityCount;
if (nSubAuthorityCount > 0)
*RtlSubAuthoritySid(*pSid, 0) = nSubAuthority0;
if (nSubAuthorityCount > 1)
*RtlSubAuthoritySid(*pSid, 1) = nSubAuthority1;
if (nSubAuthorityCount > 2)
*RtlSubAuthoritySid(*pSid, 2) = nSubAuthority2;
if (nSubAuthorityCount > 3)
*RtlSubAuthoritySid(*pSid, 3) = nSubAuthority3;
if (nSubAuthorityCount > 4)
*RtlSubAuthoritySid(*pSid, 4) = nSubAuthority4;
if (nSubAuthorityCount > 5)
*RtlSubAuthoritySid(*pSid, 5) = nSubAuthority5;
if (nSubAuthorityCount > 6)
*RtlSubAuthoritySid(*pSid, 6) = nSubAuthority6;
if (nSubAuthorityCount > 7)
*RtlSubAuthoritySid(*pSid, 7) = nSubAuthority7;
return STATUS_SUCCESS;
}
static
NTSTATUS
BuildTokenOwner(PTOKEN_OWNER Owner,
PSID OwnerSid)
{
ULONG RidCount;
ULONG Size;
RidCount = *RtlSubAuthorityCountSid(OwnerSid);
Size = RtlLengthRequiredSid(RidCount);
Owner->Owner = DispatchTable.AllocateLsaHeap(Size);
if (Owner->Owner == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
RtlCopyMemory(Owner->Owner,
OwnerSid,
Size);
return STATUS_SUCCESS;
}
static
NTSTATUS
BuildTokenPrimaryGroup(PTOKEN_PRIMARY_GROUP PrimaryGroup,
PSID PrimaryGroupSid)
{
ULONG RidCount;
ULONG Size;
RidCount = *RtlSubAuthorityCountSid(PrimaryGroupSid);
Size = RtlLengthRequiredSid(RidCount);
PrimaryGroup->PrimaryGroup = DispatchTable.AllocateLsaHeap(Size);
if (PrimaryGroup->PrimaryGroup == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
RtlCopyMemory(PrimaryGroup->PrimaryGroup,
PrimaryGroupSid,
Size);
return STATUS_SUCCESS;
}
NTSTATUS
I_NetNotifyDelta (
IN SECURITY_DB_TYPE DbType,
IN LARGE_INTEGER SerialNumber,
IN SECURITY_DB_DELTA_TYPE DeltaType,
IN SECURITY_DB_OBJECT_TYPE ObjectType,
IN ULONG ObjectRid,
IN PSID ObjectSid,
IN PUNICODE_STRING ObjectName,
IN DWORD ReplicateImmediately,
IN PSAM_DELTA_DATA MemberId
)
/*++
Routine Description:
This function is called by the SAM and LSA services after each
change is made to the SAM and LSA databases. The services describe
the type of object that is modified, the type of modification made
on the object, the serial number of this modification etc. This
information is stored for later retrieval when a BDC or member
server wants a copy of this change. See the description of
I_NetSamDeltas for a description of how the change log is used.
Add a change log entry to circular change log maintained in cache as
well as on the disk and update the head and tail pointers
It is assumed that Tail points to a block where this new change log
entry may be stored.
Arguments:
DbType - Type of the database that has been modified.
SerialNumber - The value of the DomainModifiedCount field for the
domain following the modification.
DeltaType - The type of modification that has been made on the object.
ObjectType - The type of object that has been modified.
ObjectRid - The relative ID of the object that has been modified.
This parameter is valid only when the object type specified is
either SecurityDbObjectSamUser, SecurityDbObjectSamGroup or
SecurityDbObjectSamAlias otherwise this parameter is set to zero.
ObjectSid - The SID of the object that has been modified. If the object
modified is in a SAM database, ObjectSid is the DomainId of the Domain
containing the object.
ObjectName - The name of the secret object when the object type
specified is SecurityDbObjectLsaSecret or the old name of the object
when the object type specified is either SecurityDbObjectSamUser,
SecurityDbObjectSamGroup or SecurityDbObjectSamAlias and the delta
type is SecurityDbRename otherwise this parameter is set to NULL.
ReplicateImmediately - TRUE if the change should be immediately
replicated to all BDCs. A password change should set the flag
TRUE.
MemberId - This parameter is specified when group/alias membership
is modified. This structure will then point to the member's ID that
has been updated.
Return Value:
STATUS_SUCCESS - The Service completed successfully.
--*/
{
NTSTATUS Status;
CHANGELOG_ENTRY ChangeLogEntry;
NETLOGON_DELTA_TYPE NetlogonDeltaType;
USHORT Flags = 0;
BOOL LanmanReplicateImmediately = FALSE;
//
// Ensure the role is right. Otherwise, all the globals used below
// aren't initialized.
//
if ( NlGlobalChangeLogRole != ChangeLogPrimary ) {
return STATUS_INVALID_DOMAIN_ROLE;
}
//
// Also make sure that the change log cache is available.
//
if ( NlGlobalChangeLogDesc.Buffer == NULL ) {
return STATUS_INVALID_DOMAIN_ROLE;
}
//
// Determine the database index.
//
if( DbType == SecurityDbLsa ) {
ChangeLogEntry.DBIndex = LSA_DB;
} else if( DbType == SecurityDbSam ) {
if ( RtlEqualSid( ObjectSid, NlGlobalChWorkerBuiltinDomainSid )) {
ChangeLogEntry.DBIndex = BUILTIN_DB;
} else {
ChangeLogEntry.DBIndex = SAM_DB;
}
//
// For the SAM database, we no longer need the ObjectSid.
// Null out the pointer to prevent us from storing it in the
// changelog.
//
ObjectSid = NULL;
} else {
//
// unknown database, do nothing.
//
return STATUS_SUCCESS;
}
//
// Map object type and delta type to NetlogonDeltaType
//
switch( ObjectType ) {
case SecurityDbObjectLsaPolicy:
switch (DeltaType) {
case SecurityDbNew:
case SecurityDbChange:
NetlogonDeltaType = AddOrChangeLsaPolicy;
break;
// unknown delta type
default:
return STATUS_SUCCESS;
}
break;
case SecurityDbObjectLsaTDomain:
switch (DeltaType) {
case SecurityDbNew:
case SecurityDbChange:
NetlogonDeltaType = AddOrChangeLsaTDomain;
//
// Tell the netlogon service to update its in-memory list now.
//
(VOID) NlSendChangeLogNotification( ChangeLogTrustAdded,
NULL,
ObjectSid,
0 );
break;
case SecurityDbDelete:
NetlogonDeltaType = DeleteLsaTDomain;
//
// Tell the netlogon service to update its in-memory list now.
//
(VOID) NlSendChangeLogNotification( ChangeLogTrustDeleted,
NULL,
ObjectSid,
0 );
break;
// unknown delta type
default:
return STATUS_SUCCESS;
}
break;
case SecurityDbObjectLsaAccount:
switch (DeltaType) {
case SecurityDbNew:
case SecurityDbChange:
NetlogonDeltaType = AddOrChangeLsaAccount;
break;
case SecurityDbDelete:
NetlogonDeltaType = DeleteLsaAccount;
break;
// unknown delta type
default:
return STATUS_SUCCESS;
}
break;
case SecurityDbObjectLsaSecret:
switch (DeltaType) {
case SecurityDbNew:
case SecurityDbChange:
NetlogonDeltaType = AddOrChangeLsaSecret;
break;
case SecurityDbDelete:
NetlogonDeltaType = DeleteLsaSecret;
break;
// unknown delta type
default:
return STATUS_SUCCESS;
}
break;
case SecurityDbObjectSamDomain:
switch (DeltaType) {
case SecurityDbNew:
case SecurityDbChange:
NetlogonDeltaType = AddOrChangeDomain;
break;
// unknown delta type
default:
return STATUS_SUCCESS;
}
break;
case SecurityDbObjectSamUser:
switch (DeltaType) {
case SecurityDbChangePassword:
Flags |= CHANGELOG_PASSWORD_CHANGE;
LanmanReplicateImmediately = TRUE;
NetlogonDeltaType = AddOrChangeUser;
break;
case SecurityDbNew:
//
// For down-level system, a newly added user needs to
// have it's membership in "Domain Users" updated, too.
// The following worker entry will add the additional
// delta entry and increment the serial number
// accordingly.
//
LOCK_CHANGELOG();
if( IsChangeLogWorkerRunning() ) {
(VOID) NlAddWorkerQueueEntry( ChangeLogAddUser, ObjectRid );
}
UNLOCK_CHANGELOG();
NetlogonDeltaType = AddOrChangeUser;
break;
case SecurityDbChange:
NetlogonDeltaType = AddOrChangeUser;
break;
//
// This is a dummy delta sent by chworker to indicate that "Domain Users"
// was added as a member of this user.
//
case SecurityDbChangeMemberAdd:
Flags |= CHANGELOG_DOMAINUSERS_CHANGED;
NetlogonDeltaType = AddOrChangeUser;
break;
case SecurityDbDelete:
//
// This might be a Lanman BDC so check to be sure.
//
NlLmBdcListDel( ObjectRid );
NetlogonDeltaType = DeleteUser;
break;
case SecurityDbRename:
NetlogonDeltaType = RenameUser;
//
// For down-level system, Rename user is handled as two
// deltas, viz. 1) Delete old user and 2) Add new user.
// The following worker entry will add the additional
// delta entry and increment the serial number
// accordingly.
//
LOCK_CHANGELOG();
if( IsChangeLogWorkerRunning() ) {
(VOID) NlAddWorkerQueueEntry( ChangeLogRenameUser, ObjectRid );
}
UNLOCK_CHANGELOG();
break;
//
// unknown delta type
//
default:
return STATUS_SUCCESS;
}
break;
case SecurityDbObjectSamGroup:
switch ( DeltaType ) {
case SecurityDbNew:
case SecurityDbChange:
NetlogonDeltaType = AddOrChangeGroup;
break;
case SecurityDbDelete:
NetlogonDeltaType = DeleteGroup;
//
// when a global group is deleted, we also delete it
// from the special group list, if it is included
// in the list.
//
LOCK_CHANGELOG();
if( IsChangeLogWorkerRunning() ) {
PGLOBAL_GROUP_ENTRY GroupEntry;
GroupEntry = NlGetGroupEntry (
&NlGlobalSpecialServerGroupList,
ObjectRid );
if( GroupEntry != NULL ) {
RemoveEntryList( &GroupEntry->Next );
NetpMemoryFree( GroupEntry );
}
}
UNLOCK_CHANGELOG();
break;
case SecurityDbRename:
NetlogonDeltaType = RenameGroup;
//
// For down-level system, Rename group is handled as
// three deltas, viz. 1) Delete old group, 2) Add new
// group and 3. Changemembership of new group. The
// following worker entry will add the additional
// two delta entries and increment the serial number
// accordingly.
//
LOCK_CHANGELOG();
if( IsChangeLogWorkerRunning() ) {
(VOID) NlAddWorkerQueueEntry( ChangeLogRenameGroup, ObjectRid );
}
UNLOCK_CHANGELOG();
break;
case SecurityDbChangeMemberAdd:
case SecurityDbChangeMemberSet:
case SecurityDbChangeMemberDel: {
UNICODE_STRING ServersGroup;
NetlogonDeltaType = ChangeGroupMembership;
//
// without object name we can't do much here.
//
if( ObjectName == NULL ) {
break;
}
//
// do something for down level
//
RtlInitUnicodeString( &ServersGroup, SSI_SERVER_GROUP_W );
LOCK_CHANGELOG();
if( RtlEqualUnicodeString(
&ServersGroup, ObjectName, (BOOLEAN)TRUE ) ) {
//
// Handle a new LM BDC.
//
if( DeltaType == SecurityDbChangeMemberAdd ) {
NlLmBdcListAdd( MemberId->GroupMemberId.MemberRid );
//
// Handle an LM BDC being deleted.
//
} else if( DeltaType == SecurityDbChangeMemberDel ) {
NlLmBdcListDel( MemberId->GroupMemberId.MemberRid );
}
} else {
if( IsChangeLogWorkerRunning() ) {
//
// Change log work is running. If the global groups
// list watched is empty, add this delta in the
// queue anyway, otherwise add this delta to entry
// only if this group is monitored.
//
if( IsListEmpty( &NlGlobalSpecialServerGroupList ) ||
( NlGetGroupEntry(
&NlGlobalSpecialServerGroupList,
ObjectRid ) != NULL ) ) {
(VOID) NlAddWorkerQueueEntry(
ChangeLogGroupMembership,
MemberId->GroupMemberId.MemberRid );
}
}
}
UNLOCK_CHANGELOG();
break;
}
//
// unknown delta type
//
default:
return STATUS_SUCCESS;
}
break;
case SecurityDbObjectSamAlias:
switch (DeltaType) {
case SecurityDbNew:
case SecurityDbChange:
NetlogonDeltaType = AddOrChangeAlias;
break;
case SecurityDbDelete:
NetlogonDeltaType = DeleteAlias;
break;
case SecurityDbRename:
NetlogonDeltaType = RenameAlias;
break;
case SecurityDbChangeMemberAdd:
case SecurityDbChangeMemberSet:
case SecurityDbChangeMemberDel:
NetlogonDeltaType = ChangeAliasMembership;
LOCK_CHANGELOG();
//
// if this delta is BUILTIN domain delta and the group
// modified is special group then add this delta to
// workers queue if it is running.
//
if ( (ChangeLogEntry.DBIndex == BUILTIN_DB) &&
( IsChangeLogWorkerRunning() ) &&
( IsSpecialLocalGroup( ObjectRid ) ) ) {
ULONG Rid;
PUCHAR SubAuthorityCount;
BOOLEAN EqualSid;
//
// if the member modified belongs to the local SAM
// database.
//
SubAuthorityCount =
RtlSubAuthorityCountSid(
MemberId->AliasMemberId.MemberSid);
(*SubAuthorityCount)--;
if( NlGlobalChWorkerSamDomainSid != NULL ) {
EqualSid = RtlEqualSid(
NlGlobalChWorkerSamDomainSid,
MemberId->AliasMemberId.MemberSid);
} else {
EqualSid = FALSE;
}
(*SubAuthorityCount)++;
if( EqualSid ) {
Rid = *RtlSubAuthoritySid(
MemberId->AliasMemberId.MemberSid,
(*SubAuthorityCount) -1 );
(VOID) NlAddWorkerQueueEntry(
ChangeLogAliasMembership,
Rid );
//
// add this member in the global group list,
// since this member may be a global group and we
// don't want to miss any delta made on this group.
// Worker thread will adjust the list and remove
// unwanted user entries from the list.
//
Status = NlAddGroupEntry(
&NlGlobalSpecialServerGroupList,
Rid );
if ( !NT_SUCCESS(Status) ) {
NlPrint((NL_CRITICAL,
"NlAddGroupEntry failed %lx\n",
Status ) );
}
}
}
UNLOCK_CHANGELOG();
break;
// unknown delta type
default:
return STATUS_SUCCESS;
}
break;
default:
// unknown object type
return STATUS_SUCCESS;
}
//
// Build the changelog entry and write it to the changelog
//
ChangeLogEntry.DeltaType = NetlogonDeltaType;
ChangeLogEntry.SerialNumber = SerialNumber;
ChangeLogEntry.ObjectRid = ObjectRid;
ChangeLogEntry.Flags = ReplicateImmediately ? CHANGELOG_REPLICATE_IMMEDIATELY : 0;
ChangeLogEntry.Flags |= Flags;
(VOID) NlWriteChangeLogEntry( &NlGlobalChangeLogDesc, &ChangeLogEntry, ObjectSid, ObjectName, TRUE );
//
// If this change requires immediate replication, do so
//
if( ReplicateImmediately ) {
LOCK_CHANGELOG();
NlGlobalChangeLogReplicateImmediately = TRUE;
UNLOCK_CHANGELOG();
if ( !SetEvent( NlGlobalChangeLogEvent ) ) {
NlPrint((NL_CRITICAL,
"Cannot set ChangeLog event: %lu\n",
GetLastError() ));
}
//
// If this change requires immediate replication to Lanman BDCs, do so
//
} else if( LanmanReplicateImmediately ) {
LOCK_CHANGELOG();
NlGlobalChangeLogLanmanReplicateImmediately = TRUE;
UNLOCK_CHANGELOG();
if ( !SetEvent( NlGlobalChangeLogEvent ) ) {
NlPrint((NL_CRITICAL,
"Cannot set ChangeLog event: %lu\n",
GetLastError() ));
}
}
return STATUS_SUCCESS;
}
NTSTATUS NTAPI
LsaApLogonUserEx (PLSA_CLIENT_REQUEST request, SECURITY_LOGON_TYPE logon_type,
PVOID auth, PVOID client_auth_base, ULONG auth_len,
PVOID *pbuf, PULONG pbuf_len, PLUID logon_id,
PNTSTATUS sub_stat, PLSA_TOKEN_INFORMATION_TYPE tok_type,
PVOID *tok, PUNICODE_STRING *account,
PUNICODE_STRING *authority, PUNICODE_STRING *machine)
{
DWORD checksum, i;
PDWORD csp, csp_end;
NTSTATUS stat;
SECPKG_CLIENT_INFO clinf;
PLSA_TOKEN_INFORMATION_V2 tokinf;
cyglsa_t *authinf = (cyglsa_t *) auth;
/* Check if the caller has the SeTcbPrivilege, otherwise refuse service. */
stat = funcs->GetClientInfo (&clinf);
if (stat != STATUS_SUCCESS)
{
cyglsa_printf ("GetClientInfo failed: 0x%08lx\n", stat);
return stat;
}
if (!clinf.HasTcbPrivilege)
{
cyglsa_printf ("Client has no TCB privilege. Access denied.\n");
return STATUS_ACCESS_DENIED;
}
/* Make a couple of validity checks. */
if (auth_len < sizeof *authinf
|| authinf->magic != CYG_LSA_MAGIC
|| !authinf->username[0]
|| !authinf->domain[0])
{
cyglsa_printf ("Invalid authentication parameter.\n");
return STATUS_INVALID_PARAMETER;
}
checksum = CYG_LSA_MAGIC;
csp = (PDWORD) &authinf->username;
csp_end = (PDWORD) ((PBYTE) authinf + auth_len);
while (csp < csp_end)
checksum += *csp++;
if (authinf->checksum != checksum)
{
cyglsa_printf ("Invalid checksum.\n");
return STATUS_INVALID_PARAMETER_3;
}
/* Set account to username and authority to domain resp. machine name.
The name of the logon account name as returned by LookupAccountSid
is created from here as "authority\account". */
authinf->username[UNLEN] = '\0';
authinf->domain[MAX_DOMAIN_NAME_LEN] = '\0';
if (account && !(*account = uni_alloc (authinf->username,
wcslen (authinf->username))))
{
cyglsa_printf ("No memory trying to create account.\n");
return STATUS_NO_MEMORY;
}
if (authority && !(*authority = uni_alloc (authinf->domain,
wcslen (authinf->domain))))
{
cyglsa_printf ("No memory trying to create authority.\n");
return STATUS_NO_MEMORY;
}
if (machine)
{
WCHAR mach[MAX_COMPUTERNAME_LENGTH + 1];
DWORD msize = MAX_COMPUTERNAME_LENGTH + 1;
if (!GetComputerNameW (mach, &msize))
wcscpy (mach, L"UNKNOWN");
if (!(*machine = uni_alloc (mach, wcslen (mach))))
{
cyglsa_printf ("No memory trying to create machine.\n");
return STATUS_NO_MEMORY;
}
}
/* Create a fake buffer in pbuf which is free'd again in the client.
Windows 2000 tends to crash when setting this pointer to NULL. */
if (pbuf)
{
#ifdef JUST_ANOTHER_NONWORKING_SOLUTION
cygprf_t prf;
WCHAR sam_username[MAX_DOMAIN_NAME_LEN + UNLEN + 2];
SECURITY_STRING sam_user, prefix;
PUCHAR user_auth;
ULONG user_auth_size;
WCHAR flatname[UNLEN + 1];
UNICODE_STRING flatnm;
TOKEN_SOURCE ts;
HANDLE token;
#endif /* JUST_ANOTHER_NONWORKING_SOLUTION */
stat = funcs->AllocateClientBuffer (request, 64UL, pbuf);
if (!LSA_SUCCESS (stat))
{
cyglsa_printf ("AllocateClientBuffer failed: 0x%08lx\n", stat);
return stat;
}
#ifdef JUST_ANOTHER_NONWORKING_SOLUTION
prf.magic_pre = MAGIC_PRE;
prf.token = NULL;
prf.magic_post = MAGIC_POST;
#if 0
/* That's how it was supposed to work according to MSDN... */
wcscpy (sam_username, authinf->domain);
wcscat (sam_username, L"\\");
wcscat (sam_username, authinf->username);
#else
/* That's the only solution which worked, and then it only worked
for machine local accounts. No domain authentication possible.
STATUS_NO_SUCH_USER galore! */
wcscpy (sam_username, authinf->username);
#endif
RtlInitUnicodeString (&sam_user, sam_username);
RtlInitUnicodeString (&prefix, L"");
RtlInitEmptyUnicodeString (&flatnm, flatname,
(UNLEN + 1) * sizeof (WCHAR));
stat = funcs->GetAuthDataForUser (&sam_user, SecNameSamCompatible,
NULL, &user_auth,
&user_auth_size, &flatnm);
if (!NT_SUCCESS (stat))
{
char sam_u[MAX_DOMAIN_NAME_LEN + UNLEN + 2];
wcstombs (sam_u, sam_user.Buffer, sizeof (sam_u));
cyglsa_printf ("GetAuthDataForUser (%u,%u,%s) failed: 0x%08lx\n",
sam_user.Length, sam_user.MaximumLength, sam_u, stat);
return stat;
}
memcpy (ts.SourceName, "Cygwin.1", 8);
ts.SourceIdentifier.HighPart = 0;
ts.SourceIdentifier.LowPart = 0x0104;
RtlInitEmptyUnicodeString (&flatnm, flatname,
(UNLEN + 1) * sizeof (WCHAR));
stat = funcs->ConvertAuthDataToToken (user_auth, user_auth_size,
SecurityDelegation, &ts,
Interactive, *authority,
&token, logon_id, &flatnm,
sub_stat);
if (!NT_SUCCESS (stat))
{
cyglsa_printf ("ConvertAuthDataToToken failed: 0x%08lx\n", stat);
return stat;
}
stat = funcs->DuplicateHandle (token, &prf.token);
if (!NT_SUCCESS (stat))
{
cyglsa_printf ("DuplicateHandle failed: 0x%08lx\n", stat);
return stat;
}
stat = funcs->CopyToClientBuffer (request, sizeof prf, *pbuf, &prf);
if (!NT_SUCCESS (stat))
{
cyglsa_printf ("CopyToClientBuffer failed: 0x%08lx\n", stat);
return stat;
}
funcs->FreeLsaHeap (user_auth);
#endif /* JUST_ANOTHER_NONWORKING_SOLUTION */
}
if (pbuf_len)
*pbuf_len = 64UL;
/* A PLSA_TOKEN_INFORMATION_V2 is allocated in one piece, so... */
#if defined (__x86_64__) || defined (_M_AMD64)
{
/* ...on 64 bit systems we have to convert the incoming 32 bit offsets
into 64 bit pointers. That requires to re-evaluate the size of the
outgoing tokinf structure and a somewhat awkward procedure to copy
the information over. */
LONG_PTR base;
PBYTE tptr;
DWORD size, newsize;
PSID src_sid;
PCYG_TOKEN_GROUPS src_grps;
PTOKEN_GROUPS grps;
PTOKEN_PRIVILEGES src_privs;
PACL src_acl;
base = (LONG_PTR) &authinf->inf;
newsize = authinf->inf_size;
newsize += sizeof (TOKEN_USER) - sizeof (CYG_TOKEN_USER); /* User SID */
newsize += sizeof (PTOKEN_GROUPS) - sizeof (OFFSET); /* Groups */
src_grps = (PCYG_TOKEN_GROUPS) (base + authinf->inf.Groups);
newsize += src_grps->GroupCount /* Group SIDs */
* (sizeof (SID_AND_ATTRIBUTES)
- sizeof (CYG_SID_AND_ATTRIBUTES));
newsize += sizeof (PSID) - sizeof (OFFSET); /* Primary Group SID */
newsize += sizeof (PTOKEN_PRIVILEGES) - sizeof (OFFSET); /* Privileges */
newsize += 0; /* Owner SID */
newsize += sizeof (PACL) - sizeof (OFFSET); /* Default DACL */
if (!(tokinf = funcs->AllocateLsaHeap (newsize)))
return STATUS_NO_MEMORY;
tptr = (PBYTE)(tokinf + 1);
tokinf->ExpirationTime = authinf->inf.ExpirationTime;
/* User SID */
src_sid = (PSID) (base + authinf->inf.User.User.Sid);
size = RtlLengthSid (src_sid);
RtlCopySid (size, (PSID) tptr, src_sid);
tokinf->User.User.Sid = (PSID) tptr;
tptr += size;
tokinf->User.User.Attributes = authinf->inf.User.User.Attributes;
/* Groups */
grps = (PTOKEN_GROUPS) tptr;
tokinf->Groups = grps;
grps->GroupCount = src_grps->GroupCount;
tptr += sizeof grps->GroupCount
+ grps->GroupCount * sizeof (SID_AND_ATTRIBUTES);
/* Group SIDs */
for (i = 0; i < src_grps->GroupCount; ++i)
{
src_sid = (PSID) (base + src_grps->Groups[i].Sid);
size = RtlLengthSid (src_sid);
RtlCopySid (size, (PSID) tptr, src_sid);
tokinf->Groups->Groups[i].Sid = (PSID) tptr;
tptr += size;
tokinf->Groups->Groups[i].Attributes = src_grps->Groups[i].Attributes;
}
/* Primary Group SID */
src_sid = (PSID) (base + authinf->inf.PrimaryGroup.PrimaryGroup);
size = RtlLengthSid (src_sid);
RtlCopySid (size, (PSID) tptr, src_sid);
tokinf->PrimaryGroup.PrimaryGroup = (PSID) tptr;
tptr += size;
/* Privileges */
src_privs = (PTOKEN_PRIVILEGES) (base + authinf->inf.Privileges);
size = sizeof src_privs->PrivilegeCount
+ src_privs->PrivilegeCount * sizeof (LUID_AND_ATTRIBUTES);
memcpy (tptr, src_privs, size);
tokinf->Privileges = (PTOKEN_PRIVILEGES) tptr;
tptr += size;
/* Owner */
tokinf->Owner.Owner = NULL;
/* Default DACL */
src_acl = (PACL) (base + authinf->inf.DefaultDacl.DefaultDacl);
size = src_acl->AclSize;
memcpy (tptr, src_acl, size);
tokinf->DefaultDacl.DefaultDacl = (PACL) tptr;
}
#else
{
/* ...on 32 bit systems we just allocate tokinf with the same size as
we get, copy the whole structure and convert offsets into pointers. */
/* Allocate LUID for usage in the logon SID on Windows 2000. This is
not done in the 64 bit code above for hopefully obvious reasons... */
LUID logon_sid_id;
if (must_create_logon_sid
&& !NT_SUCCESS (NtAllocateLocallyUniqueId (&logon_sid_id)))
return STATUS_INSUFFICIENT_RESOURCES;
if (!(tokinf = funcs->AllocateLsaHeap (authinf->inf_size)))
return STATUS_NO_MEMORY;
memcpy (tokinf, &authinf->inf, authinf->inf_size);
/* User SID */
tokinf->User.User.Sid = (PSID)
((PBYTE) tokinf + (LONG_PTR) tokinf->User.User.Sid);
/* Groups */
tokinf->Groups = (PTOKEN_GROUPS)
((PBYTE) tokinf + (LONG_PTR) tokinf->Groups);
/* Group SIDs */
for (i = 0; i < tokinf->Groups->GroupCount; ++i)
{
tokinf->Groups->Groups[i].Sid = (PSID)
((PBYTE) tokinf + (LONG_PTR) tokinf->Groups->Groups[i].Sid);
if (must_create_logon_sid
&& tokinf->Groups->Groups[i].Attributes & SE_GROUP_LOGON_ID
&& *RtlSubAuthorityCountSid (tokinf->Groups->Groups[i].Sid) == 3
&& *RtlSubAuthoritySid (tokinf->Groups->Groups[i].Sid, 0)
== SECURITY_LOGON_IDS_RID)
{
*RtlSubAuthoritySid (tokinf->Groups->Groups[i].Sid, 1)
= logon_sid_id.HighPart;
*RtlSubAuthoritySid (tokinf->Groups->Groups[i].Sid, 2)
= logon_sid_id.LowPart;
}
}
/* Primary Group SID */
tokinf->PrimaryGroup.PrimaryGroup = (PSID)
((PBYTE) tokinf + (LONG_PTR) tokinf->PrimaryGroup.PrimaryGroup);
/* Privileges */
tokinf->Privileges = (PTOKEN_PRIVILEGES)
((PBYTE) tokinf + (LONG_PTR) tokinf->Privileges);
/* Owner SID */
tokinf->Owner.Owner = NULL;
/* Default DACL */
tokinf->DefaultDacl.DefaultDacl = (PACL)
((PBYTE) tokinf + (LONG_PTR) tokinf->DefaultDacl.DefaultDacl);
}
#endif
*tok = (PVOID) tokinf;
*tok_type = LsaTokenInformationV2;
print_tokinf (tokinf, authinf->inf_size, authinf, &authinf->inf,
(PVOID)((LONG_PTR) &authinf->inf + authinf->inf_size));
/* Create logon session. */
stat = NtAllocateLocallyUniqueId (logon_id);
if (!NT_SUCCESS (stat))
{
funcs->FreeLsaHeap (*tok);
*tok = NULL;
cyglsa_printf ("NtAllocateLocallyUniqueId status 0x%08lx\n", stat);
return STATUS_INSUFFICIENT_RESOURCES;
}
stat = funcs->CreateLogonSession (logon_id);
if (stat != STATUS_SUCCESS)
{
funcs->FreeLsaHeap (*tok);
*tok = NULL;
cyglsa_printf ("CreateLogonSession failed: 0x%08lx\n", stat);
return stat;
}
cyglsa_printf ("BINGO!!!\n", stat);
return STATUS_SUCCESS;
}
/******************************************************************************
* GetSidSubAuthorityCount [ADVAPI32.@]
*
* PARAMS
* pSid []
*/
PUCHAR WINAPI
GetSidSubAuthorityCount (PSID pSid)
{
return RtlSubAuthorityCountSid(pSid);
}
NTSTATUS
SampFixBug18471 (
IN ULONG Revision
)
/*++
Routine Description:
This routine fixes bug 18471, that SAM does not adjust the protection
on groups that are members of administrative aliases in the builtin
domain. It fixes this by opening a fixed set of known aliases
(Administrators, Account Operators, Backup Operators, Print Operators,
and Server Operators), and enumerating their members. To fix this,
we will remove all the members of these aliases (except the
Administrator user account) and re-add them.
Arguments:
Revision - Revision of the Sam server.
Return Value:
Note:
--*/
{
NTSTATUS Status;
ULONG Index, Index2;
PSID BuiltinDomainSid = NULL;
SID_IDENTIFIER_AUTHORITY BuiltinAuthority = SECURITY_NT_AUTHORITY;
PSID AccountDomainSid;
ULONG AccountDomainIndex = 0xffffffff;
ULONG BuiltinDomainIndex = 0xffffffff;
SAMPR_PSID_ARRAY AliasMembership;
ULONG MemberRid;
ULONG SdRevision;
PSECURITY_DESCRIPTOR OldDescriptor;
PSECURITY_DESCRIPTOR SecurityDescriptor;
ULONG SecurityDescriptorLength;
SAMP_OBJECT_TYPE MemberType;
PSAMP_OBJECT MemberContext;
PSAMP_OBJECT AliasContext;
SAMP_V1_0A_FIXED_LENGTH_GROUP GroupV1Fixed;
SAMP_V1_0A_FIXED_LENGTH_USER UserV1Fixed;
//
// Check the revision on the server to see if this upgrade has
// already been performed.
//
if (Revision >= SAMP_SERVER_REVISION) {
//
// This upgrade has already been performed.
//
goto Cleanup;
}
//
// Build a the BuiltIn domain SID.
//
BuiltinDomainSid = RtlAllocateHeap(RtlProcessHeap(), 0,RtlLengthRequiredSid( 1 ));
if ( BuiltinDomainSid == NULL ) {
Status = STATUS_INSUFFICIENT_RESOURCES;
goto Cleanup;
}
RtlInitializeSid( BuiltinDomainSid, &BuiltinAuthority, 1 );
*(RtlSubAuthoritySid( BuiltinDomainSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
//
// Lookup the index of the account domain
//
for (Index = 0;
Index < SampDefinedDomainsCount ;
Index++ ) {
if (RtlEqualSid( BuiltinDomainSid, SampDefinedDomains[Index].Sid)) {
BuiltinDomainIndex = Index;
} else {
AccountDomainIndex = Index;
}
}
ASSERT(AccountDomainIndex < SampDefinedDomainsCount);
ASSERT(BuiltinDomainIndex < SampDefinedDomainsCount);
AccountDomainSid = SampDefinedDomains[AccountDomainIndex].Sid;
//
// Create out transaction log
//
Status = SampCreate18471Key();
if (!NT_SUCCESS(Status)) {
goto Cleanup;
}
//
// Now loop through and open the aliases we are intersted in
//
for (Index = 0;
Index < ADMINISTRATIVE_ALIAS_COUNT ;
Index++ )
{
SampSetTransactionDomain( BuiltinDomainIndex );
SampAcquireReadLock();
Status = SampCreateAccountContext(
SampAliasObjectType,
AdministrativeRids[Index],
TRUE, // Trusted client
TRUE, // Account exists
&AliasContext
);
if ( !NT_SUCCESS(Status) ) {
SampReleaseReadLock();
if (Status == STATUS_NO_SUCH_ALIAS) {
Status = STATUS_SUCCESS;
continue;
} else {
goto Cleanup;
}
}
//
// Get the members in the alias so we can remove and re-add them
//
Status = SampRetrieveAliasMembers(
AliasContext,
&(AliasMembership.Count),
(PSID **)&(AliasMembership.Sids)
);
SampDeleteContext(AliasContext);
SampReleaseReadLock();
if (!NT_SUCCESS(Status)) {
break;
}
//
// Write that we are opening this alias to the log. We don't need
// to do this for administrators, since for them we the update is
// idempotent.
//
if (AdministrativeRids[Index] != DOMAIN_ALIAS_RID_ADMINS) {
Status = SampAddAliasTo18471Key(
AdministrativeRids[Index]
);
if (!NT_SUCCESS(Status)) {
break;
}
}
//
// Loop through the members and split each sid. For every
// member in the account domain , remove it and re-add it from
// this alias.
//
for (Index2 = 0; Index2 < AliasMembership.Count ; Index2++ )
{
//
// Check to see if this account is in the account domain
//
if ( SampMatchDomainPrefix(
(PSID) AliasMembership.Sids[Index2].SidPointer,
AccountDomainSid
) )
{
//
// Get the RID for this member
//
MemberRid = *RtlSubAuthoritySid(
AliasMembership.Sids[Index2].SidPointer,
*RtlSubAuthorityCountSid(
AliasMembership.Sids[Index2].SidPointer
) - 1
);
//
// Now remove and re-add the administratie nature of this
// membership
//
if (AdministrativeRids[Index] == DOMAIN_ALIAS_RID_ADMINS) {
Status = SampAcquireWriteLock();
if (!NT_SUCCESS(Status)) {
break;
}
SampSetTransactionDomain( AccountDomainIndex );
//
// Try to create a context for the account as a group.
//
Status = SampCreateAccountContext(
SampGroupObjectType,
MemberRid,
TRUE, // Trusted client
TRUE, // Account exists
&MemberContext
);
if (!NT_SUCCESS( Status ) ) {
//
// If this ID does not exist as a group, that's fine -
// it might be a user or might have been deleted.
//
SampReleaseWriteLock( FALSE );
if (Status == STATUS_NO_SUCH_GROUP) {
Status = STATUS_SUCCESS;
continue;
}
break;
}
//
// Now set a flag in the group itself,
// so that when users are added and removed
// in the future it is known whether this
// group is in an ADMIN alias or not.
//
Status = SampRetrieveGroupV1Fixed(
MemberContext,
&GroupV1Fixed
);
if ( NT_SUCCESS(Status)) {
GroupV1Fixed.AdminCount = 1;
Status = SampReplaceGroupV1Fixed(
MemberContext,
&GroupV1Fixed
);
//
// Modify the security descriptor to
// prevent account operators from adding
// anybody to this group
//
if ( NT_SUCCESS( Status ) ) {
Status = SampGetAccessAttribute(
MemberContext,
SAMP_GROUP_SECURITY_DESCRIPTOR,
FALSE, // don't make copy
&SdRevision,
&OldDescriptor
);
if (NT_SUCCESS(Status)) {
Status = SampModifyAccountSecurity(
SampGroupObjectType,
TRUE, // this is an admin
OldDescriptor,
&SecurityDescriptor,
&SecurityDescriptorLength
);
}
if ( NT_SUCCESS( Status ) ) {
//
// Write the new security descriptor into the object
//
Status = SampSetAccessAttribute(
MemberContext,
SAMP_USER_SECURITY_DESCRIPTOR,
SecurityDescriptor,
SecurityDescriptorLength
);
MIDL_user_free( SecurityDescriptor );
}
}
if (NT_SUCCESS(Status)) {
//
// Add the modified group to the current transaction
// Don't use the open key handle since we'll be deleting the context.
//
Status = SampStoreObjectAttributes(MemberContext, FALSE);
}
}
//
// Clean up the group context
//
SampDeleteContext(MemberContext);
//
// we don't want the modified count to change
//
SampTransactionWithinDomain = FALSE;
if (NT_SUCCESS(Status)) {
Status = SampReleaseWriteLock( TRUE );
} else {
(VOID) SampReleaseWriteLock( FALSE );
}
}
else
{
//
// Check to see if we've already upgraded this member
//
Status = SampCheckMemberUpgradedFor18471(
AdministrativeRids[Index],
MemberRid);
if (NT_SUCCESS(Status)) {
//
// This member already was upgraded.
//
continue;
} else {
//
// We continue on with the upgrade
//
Status = STATUS_SUCCESS;
}
//
// Change the operator account for the other
// aliases.
//
if (NT_SUCCESS(Status)) {
Status = SampAcquireWriteLock();
if (!NT_SUCCESS(Status)) {
break;
}
SampSetTransactionDomain( AccountDomainIndex );
Status = SampChangeAccountOperatorAccessToMember(
AliasMembership.Sids[Index2].SidPointer,
NoChange,
AddToAdmin
);
//
// If that succeeded, add this member to the log
// as one that was upgraded.
//
if (NT_SUCCESS(Status)) {
Status = SampAddMemberRidTo18471Key(
AdministrativeRids[Index],
MemberRid
);
}
//
// We don't want the modified count to be updated so
// make this not a domain transaction
//
SampTransactionWithinDomain = FALSE;
if (NT_SUCCESS(Status)) {
Status = SampReleaseWriteLock( TRUE );
} else {
(VOID) SampReleaseWriteLock( FALSE );
}
}
if (!NT_SUCCESS(Status)) {
break;
}
}
}
}
SamIFree_SAMPR_PSID_ARRAY(
&AliasMembership
);
AliasMembership.Sids = NULL;
//
// If something up above failed or the upgrade was already done,
// exit now.
//
if (!NT_SUCCESS(Status)) {
break;
}
}
Cleanup:
if (BuiltinDomainSid != NULL) {
RtlFreeHeap(
RtlProcessHeap(),
0,
BuiltinDomainSid
);
}
if (NT_SUCCESS(Status)) {
Status = SampCleanup18471();
}
return(Status);
}
NTSTATUS
NlAddGlobalGroupsToList(
PLIST_ENTRY GroupList,
ULONG LocalGroupID
)
/*++
Routine Description:
This procedure adds the global groups that are member of the given
alias.
Arguments:
GroupList : List to munch.
LocalGroupId : Rid of the local group.
Return Value:
Return NT Status code.
--*/
{
NTSTATUS Status;
SAMPR_HANDLE AliasHandle = NULL;
SAMPR_PSID_ARRAY Members = {0, NULL};
PULONG RidArray = NULL;
DWORD RidArrayLength = 0;
SAMPR_RETURNED_USTRING_ARRAY Names = {0, NULL};
SAMPR_ULONG_ARRAY Use = {0, NULL};
DWORD i;
//
// Open Local Group
//
Status = SamrOpenAlias(
NlGlobalChWorkerBuiltinDBHandle,
0, // No desired access
LocalGroupID,
&AliasHandle );
if (!NT_SUCCESS(Status)) {
AliasHandle = NULL;
goto Cleanup;
}
//
// Enumerate members in this local group.
//
Status = SamrGetMembersInAlias(
AliasHandle,
&Members );
if (!NT_SUCCESS(Status)) {
Members.Sids = NULL;
goto Cleanup;
}
//
// Determine the SIDs that belong to the Account Domain and get the
// RIDs of them.
//
if( Members.Count == 0) {
Status = STATUS_SUCCESS;
goto Cleanup;
}
//
// Allocate the maximum size RID array required.
//
RidArray = (PULONG)NetpMemoryAllocate( Members.Count * sizeof(ULONG) );
if( RidArray == NULL ) {
Status = STATUS_NO_MEMORY;
goto Cleanup;
}
for( i = 0; i < Members.Count; i++) {
PUCHAR SubAuthorityCount;
BOOLEAN EqualSid;
SubAuthorityCount =
RtlSubAuthorityCountSid(Members.Sids[i].SidPointer);
(*SubAuthorityCount)--;
EqualSid = RtlEqualSid( NlGlobalChWorkerSamDomainSid,
Members.Sids[i].SidPointer );
(*SubAuthorityCount)++;
if( EqualSid ) {
RidArray[RidArrayLength] =
*RtlSubAuthoritySid( Members.Sids[i].SidPointer,
(*SubAuthorityCount) -1 );
RidArrayLength++;
}
}
if( RidArrayLength == 0) {
Status = STATUS_SUCCESS;
goto Cleanup;
}
//
// Get Group RIDs and add them to list.
//
Status = SamrLookupIdsInDomain( NlGlobalChWorkerSamDBHandle,
RidArrayLength,
RidArray,
&Names,
&Use );
if ( !NT_SUCCESS(Status) ) {
Names.Element = NULL;
Use.Element = NULL;
if( Status == STATUS_NONE_MAPPED ) {
//
// if no SID is mapped, we can't do much here.
//
NlPrint((NL_CRITICAL,
"NlAddGlobalGroupsToList could not map any SID from "
"local group, RID = %lx \n", LocalGroupID ));
Status = STATUS_SUCCESS;
}
goto Cleanup;
}
NlAssert( Names.Count == RidArrayLength );
NlAssert( Names.Element != NULL );
NlAssert( Use.Count == RidArrayLength );
NlAssert( Use.Element != NULL );
//
// Find groups and add them to list.
//
for( i = 0; i < RidArrayLength; i++ ) {
if( Use.Element[i] == SidTypeGroup ) {
//
// we found a group, add it to the list if it is not there
// already.
//
if( NlGetGroupEntry( GroupList, RidArray[i] ) != NULL ) {
//
// entry already in the list.
//
continue;
}
//
// add an entry to the list.
//
Status = NlAddGroupEntry( GroupList, RidArray[i] );
if ( !NT_SUCCESS(Status) ) {
goto Cleanup;
}
}
}
Cleanup:
if( Names.Element != NULL ) {
SamIFree_SAMPR_RETURNED_USTRING_ARRAY( &Names );
}
if( Use.Element != NULL ) {
SamIFree_SAMPR_ULONG_ARRAY( &Use );
}
if( RidArray != NULL ) {
NetpMemoryFree( RidArray );
}
if ( Members.Sids != NULL ) {
SamIFree_SAMPR_PSID_ARRAY( (PSAMPR_PSID_ARRAY)&Members );
}
if( AliasHandle != NULL ) {
SamrCloseHandle( &AliasHandle );
}
if ( !NT_SUCCESS(Status) ) {
NlPrint((NL_CRITICAL, "NlAddGlobalGroupsToList failed %lx\n",
Status ));
}
return( Status );
}
BOOLEAN
SampMatchDomainPrefix(
IN PSID AccountSid,
IN PSID DomainSid
)
/*++
Routine Description:
This function compares the domain sid to the domain prefix of an
account sid.
Arguments:
AccountSid - Specifies the account Sid to be compared. The Sid is assumed to be
syntactically valid.
DomainSid - Specifies the domain Sid to compare against.
Return Value:
TRUE - The account Sid is from the Domain specified by the domain Sid
FALSE - The domain prefix of the account Sid did not match the domain.
--*/
{
//
// Check if the account Sid has one more subauthority than the
// domain Sid.
//
if (*RtlSubAuthorityCountSid(DomainSid) + 1 !=
*RtlSubAuthorityCountSid(AccountSid)) {
return(FALSE);
}
if (memcmp(
RtlIdentifierAuthoritySid(DomainSid),
RtlIdentifierAuthoritySid(AccountSid),
sizeof(SID_IDENTIFIER_AUTHORITY) ) ) {
return(FALSE);
}
//
// Compare the sub authorities
//
if (memcmp(
RtlSubAuthoritySid(DomainSid, 0) ,
RtlSubAuthoritySid(AccountSid, 0) ,
*RtlSubAuthorityCountSid(DomainSid)
))
{
return(FALSE);
}
return(TRUE);
}
BOOLEAN
TSeVariableInitialization()
/*++
Routine Description:
This function initializes the global variables used in security
tests.
Arguments:
None.
Return Value:
TRUE if variables successfully initialized.
FALSE if not successfully initialized.
--*/
{
ULONG SidWithZeroSubAuthorities;
ULONG SidWithOneSubAuthority;
ULONG SidWithThreeSubAuthorities;
ULONG SidWithFourSubAuthorities;
SID_IDENTIFIER_AUTHORITY NullSidAuthority = SECURITY_NULL_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY WorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY LocalSidAuthority = SECURITY_LOCAL_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY CreatorSidAuthority = SECURITY_CREATOR_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
SID_IDENTIFIER_AUTHORITY BedrockAuthority = BEDROCK_AUTHORITY;
SID_IDENTIFIER_AUTHORITY BedrockAAuthority = BEDROCKA_AUTHORITY;
SID_IDENTIFIER_AUTHORITY BedrockBAuthority = BEDROCKB_AUTHORITY;
SID_IDENTIFIER_AUTHORITY BedrockCAuthority = BEDROCKC_AUTHORITY;
SID_IDENTIFIER_AUTHORITY BedrockDAuthority = BEDROCKD_AUTHORITY;
SID_IDENTIFIER_AUTHORITY BedrockEAuthority = BEDROCKE_AUTHORITY;
//
// The following SID sizes need to be allocated
//
SidWithZeroSubAuthorities = RtlLengthRequiredSid( 0 );
SidWithOneSubAuthority = RtlLengthRequiredSid( 1 );
SidWithThreeSubAuthorities = RtlLengthRequiredSid( 3 );
SidWithFourSubAuthorities = RtlLengthRequiredSid( 4 );
//
// Allocate and initialize the universal SIDs
//
NullSid = (PSID)TstAllocatePool(PagedPool,SidWithOneSubAuthority);
WorldSid = (PSID)TstAllocatePool(PagedPool,SidWithOneSubAuthority);
LocalSid = (PSID)TstAllocatePool(PagedPool,SidWithOneSubAuthority);
CreatorOwnerSid = (PSID)TstAllocatePool(PagedPool,SidWithOneSubAuthority);
CreatorGroupSid = (PSID)TstAllocatePool(PagedPool,SidWithOneSubAuthority);
RtlInitializeSid( NullSid, &NullSidAuthority, 1 );
RtlInitializeSid( WorldSid, &WorldSidAuthority, 1 );
RtlInitializeSid( LocalSid, &LocalSidAuthority, 1 );
RtlInitializeSid( CreatorOwnerSid, &CreatorSidAuthority, 1 );
RtlInitializeSid( CreatorGroupSid, &CreatorSidAuthority, 1 );
*(RtlSubAuthoritySid( NullSid, 0 )) = SECURITY_NULL_RID;
*(RtlSubAuthoritySid( WorldSid, 0 )) = SECURITY_WORLD_RID;
*(RtlSubAuthoritySid( LocalSid, 0 )) = SECURITY_LOCAL_RID;
*(RtlSubAuthoritySid( CreatorOwnerSid, 0 )) = SECURITY_CREATOR_OWNER_RID;
*(RtlSubAuthoritySid( CreatorGroupSid, 0 )) = SECURITY_CREATOR_GROUP_RID;
//
// Allocate and initialize the NT defined SIDs
//
NtAuthoritySid = (PSID)TstAllocatePool(PagedPool,SidWithZeroSubAuthorities);
DialupSid = (PSID)TstAllocatePool(PagedPool,SidWithOneSubAuthority);
NetworkSid = (PSID)TstAllocatePool(PagedPool,SidWithOneSubAuthority);
BatchSid = (PSID)TstAllocatePool(PagedPool,SidWithOneSubAuthority);
InteractiveSid = (PSID)TstAllocatePool(PagedPool,SidWithOneSubAuthority);
LocalSystemSid = (PSID)TstAllocatePool(PagedPool,SidWithOneSubAuthority);
RtlInitializeSid( NtAuthoritySid, &NtAuthority, 0 );
RtlInitializeSid( DialupSid, &NtAuthority, 1 );
RtlInitializeSid( NetworkSid, &NtAuthority, 1 );
RtlInitializeSid( BatchSid, &NtAuthority, 1 );
RtlInitializeSid( InteractiveSid, &NtAuthority, 1 );
RtlInitializeSid( LocalSystemSid, &NtAuthority, 1 );
*(RtlSubAuthoritySid( DialupSid, 0 )) = SECURITY_DIALUP_RID;
*(RtlSubAuthoritySid( NetworkSid, 0 )) = SECURITY_NETWORK_RID;
*(RtlSubAuthoritySid( BatchSid, 0 )) = SECURITY_BATCH_RID;
*(RtlSubAuthoritySid( InteractiveSid, 0 )) = SECURITY_INTERACTIVE_RID;
*(RtlSubAuthoritySid( LocalSystemSid, 0 )) = SECURITY_LOCAL_SYSTEM_RID;
//
// Allocate and initialize the Bedrock SIDs
//
BedrockDomainSid = (PSID)TstAllocatePool(PagedPool,SidWithThreeSubAuthorities);
BedrockADomainSid = (PSID)TstAllocatePool(PagedPool,SidWithThreeSubAuthorities);
BedrockBDomainSid = (PSID)TstAllocatePool(PagedPool,SidWithThreeSubAuthorities);
BedrockCDomainSid = (PSID)TstAllocatePool(PagedPool,SidWithThreeSubAuthorities);
BedrockDDomainSid = (PSID)TstAllocatePool(PagedPool,SidWithThreeSubAuthorities);
BedrockEDomainSid = (PSID)TstAllocatePool(PagedPool,SidWithThreeSubAuthorities);
FredSid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities);
WilmaSid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities);
PebblesSid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities);
DinoSid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities);
BarneySid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities);
BettySid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities);
BambamSid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities);
FlintstoneSid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities);
RubbleSid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities);
AdultSid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities);
ChildSid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities);
NeandertholSid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities);
RtlInitializeSid( BedrockDomainSid, &BedrockAuthority, 3 );
*(RtlSubAuthoritySid( BedrockDomainSid, 0)) = BEDROCK_SUBAUTHORITY_0;
*(RtlSubAuthoritySid( BedrockDomainSid, 1)) = BEDROCK_SUBAUTHORITY_1;
*(RtlSubAuthoritySid( BedrockDomainSid, 2)) = BEDROCK_SUBAUTHORITY_2;
RtlInitializeSid( BedrockADomainSid, &BedrockAAuthority, 3 );
*(RtlSubAuthoritySid( BedrockADomainSid, 0)) = BEDROCKA_SUBAUTHORITY_0;
*(RtlSubAuthoritySid( BedrockADomainSid, 1)) = BEDROCKA_SUBAUTHORITY_1;
*(RtlSubAuthoritySid( BedrockADomainSid, 2)) = BEDROCKA_SUBAUTHORITY_2;
RtlInitializeSid( BedrockBDomainSid, &BedrockBAuthority, 3 );
*(RtlSubAuthoritySid( BedrockBDomainSid, 0)) = BEDROCKB_SUBAUTHORITY_0;
*(RtlSubAuthoritySid( BedrockBDomainSid, 1)) = BEDROCKB_SUBAUTHORITY_1;
*(RtlSubAuthoritySid( BedrockBDomainSid, 2)) = BEDROCKB_SUBAUTHORITY_2;
RtlInitializeSid( BedrockCDomainSid, &BedrockCAuthority, 3 );
*(RtlSubAuthoritySid( BedrockCDomainSid, 0)) = BEDROCKC_SUBAUTHORITY_0;
*(RtlSubAuthoritySid( BedrockCDomainSid, 1)) = BEDROCKC_SUBAUTHORITY_1;
*(RtlSubAuthoritySid( BedrockCDomainSid, 2)) = BEDROCKC_SUBAUTHORITY_2;
RtlInitializeSid( BedrockDDomainSid, &BedrockDAuthority, 3 );
*(RtlSubAuthoritySid( BedrockDDomainSid, 0)) = BEDROCKD_SUBAUTHORITY_0;
*(RtlSubAuthoritySid( BedrockDDomainSid, 1)) = BEDROCKD_SUBAUTHORITY_1;
*(RtlSubAuthoritySid( BedrockDDomainSid, 2)) = BEDROCKD_SUBAUTHORITY_2;
RtlInitializeSid( BedrockEDomainSid, &BedrockEAuthority, 3 );
*(RtlSubAuthoritySid( BedrockEDomainSid, 0)) = BEDROCKE_SUBAUTHORITY_0;
*(RtlSubAuthoritySid( BedrockEDomainSid, 1)) = BEDROCKE_SUBAUTHORITY_1;
*(RtlSubAuthoritySid( BedrockEDomainSid, 2)) = BEDROCKE_SUBAUTHORITY_2;
RtlCopySid( SidWithFourSubAuthorities, FredSid, BedrockDomainSid);
*(RtlSubAuthorityCountSid( FredSid )) += 1;
*(RtlSubAuthoritySid( FredSid, 3)) = FRED_RID;
RtlCopySid( SidWithFourSubAuthorities, WilmaSid, BedrockDomainSid);
*(RtlSubAuthorityCountSid( WilmaSid )) += 1;
*(RtlSubAuthoritySid( WilmaSid, 3)) = WILMA_RID;
RtlCopySid( SidWithFourSubAuthorities, PebblesSid, BedrockDomainSid);
*(RtlSubAuthorityCountSid( PebblesSid )) += 1;
*(RtlSubAuthoritySid( PebblesSid, 3)) = PEBBLES_RID;
RtlCopySid( SidWithFourSubAuthorities, DinoSid, BedrockDomainSid);
*(RtlSubAuthorityCountSid( DinoSid )) += 1;
*(RtlSubAuthoritySid( DinoSid, 3)) = DINO_RID;
RtlCopySid( SidWithFourSubAuthorities, BarneySid, BedrockDomainSid);
*(RtlSubAuthorityCountSid( BarneySid )) += 1;
*(RtlSubAuthoritySid( BarneySid, 3)) = BARNEY_RID;
RtlCopySid( SidWithFourSubAuthorities, BettySid, BedrockDomainSid);
*(RtlSubAuthorityCountSid( BettySid )) += 1;
*(RtlSubAuthoritySid( BettySid, 3)) = BETTY_RID;
RtlCopySid( SidWithFourSubAuthorities, BambamSid, BedrockDomainSid);
*(RtlSubAuthorityCountSid( BambamSid )) += 1;
*(RtlSubAuthoritySid( BambamSid, 3)) = BAMBAM_RID;
RtlCopySid( SidWithFourSubAuthorities, FlintstoneSid, BedrockDomainSid);
*(RtlSubAuthorityCountSid( FlintstoneSid )) += 1;
*(RtlSubAuthoritySid( FlintstoneSid, 3)) = FLINTSTONE_RID;
RtlCopySid( SidWithFourSubAuthorities, RubbleSid, BedrockDomainSid);
*(RtlSubAuthorityCountSid( RubbleSid )) += 1;
*(RtlSubAuthoritySid( RubbleSid, 3)) = RUBBLE_RID;
RtlCopySid( SidWithFourSubAuthorities, AdultSid, BedrockDomainSid);
*(RtlSubAuthorityCountSid( AdultSid )) += 1;
*(RtlSubAuthoritySid( AdultSid, 3)) = ADULT_RID;
RtlCopySid( SidWithFourSubAuthorities, ChildSid, BedrockDomainSid);
*(RtlSubAuthorityCountSid( ChildSid )) += 1;
*(RtlSubAuthoritySid( ChildSid, 3)) = CHILD_RID;
RtlCopySid( SidWithFourSubAuthorities, NeandertholSid, BedrockDomainSid);
*(RtlSubAuthorityCountSid( NeandertholSid )) += 1;
*(RtlSubAuthoritySid( NeandertholSid, 3)) = NEANDERTHOL_RID;
CreateTokenPrivilege =
RtlConvertLongToLargeInteger(SE_CREATE_TOKEN_PRIVILEGE);
AssignPrimaryTokenPrivilege =
RtlConvertLongToLargeInteger(SE_ASSIGNPRIMARYTOKEN_PRIVILEGE);
LockMemoryPrivilege =
RtlConvertLongToLargeInteger(SE_LOCK_MEMORY_PRIVILEGE);
IncreaseQuotaPrivilege =
RtlConvertLongToLargeInteger(SE_INCREASE_QUOTA_PRIVILEGE);
UnsolicitedInputPrivilege =
RtlConvertLongToLargeInteger(SE_UNSOLICITED_INPUT_PRIVILEGE);
TcbPrivilege =
RtlConvertLongToLargeInteger(SE_TCB_PRIVILEGE);
SecurityPrivilege =
RtlConvertLongToLargeInteger(SE_SECURITY_PRIVILEGE);
TakeOwnershipPrivilege =
RtlConvertLongToLargeInteger(SE_TAKE_OWNERSHIP_PRIVILEGE);
LpcReplyBoostPrivilege =
RtlConvertLongToLargeInteger(SE_LPC_REPLY_BOOST_PRIVILEGE);
CreatePagefilePrivilege =
RtlConvertLongToLargeInteger(SE_CREATE_PAGEFILE_PRIVILEGE);
IncreaseBasePriorityPrivilege =
RtlConvertLongToLargeInteger(SE_INC_BASE_PRIORITY_PRIVILEGE);
SystemProfilePrivilege =
RtlConvertLongToLargeInteger(SE_SYSTEM_PROFILE_PRIVILEGE);
SystemtimePrivilege =
RtlConvertLongToLargeInteger(SE_SYSTEMTIME_PRIVILEGE);
ProfileSingleProcessPrivilege =
RtlConvertLongToLargeInteger(SE_PROF_SINGLE_PROCESS_PRIVILEGE);
CreatePermanentPrivilege =
RtlConvertLongToLargeInteger(SE_CREATE_PERMANENT_PRIVILEGE);
BackupPrivilege =
RtlConvertLongToLargeInteger(SE_BACKUP_PRIVILEGE);
RestorePrivilege =
RtlConvertLongToLargeInteger(SE_RESTORE_PRIVILEGE);
ShutdownPrivilege =
RtlConvertLongToLargeInteger(SE_SHUTDOWN_PRIVILEGE);
DebugPrivilege =
RtlConvertLongToLargeInteger(SE_DEBUG_PRIVILEGE);
return TRUE;
}
/**************************************************************************
* RtlLengthSid [NTDLL.@]
*/
DWORD WINAPI RtlLengthSid(PSID pSid)
{
TRACE("sid=%p\n",pSid);
if (!pSid) return 0;
return RtlLengthRequiredSid(*RtlSubAuthorityCountSid(pSid));
}
